Hi all,
There’s a weird problem I have accessing the management console and mounting file services from a Synology NAS Diskstation 1517+ via a VPN running on the same DiskStation on a 2017 iMac running Mac OS 10.14 Mojave. This is completely doing my head in, and I’m hoping that someone here might be able to provide me with the “A-ha!” moment I need. I’ve tried to provide as much info as possible.
Thank you for taking the time to read and consider what could be causing it.
Network Topology
The local network is sitting behind a NATted router, using 192.168.1.* as its address range. The router acts as both the gateway and DNS resolver. The device in question is a TPLink Archer 1600v2. All of the computers on the local network are Macs. There are two iMacs and one Mac laptop. The laptop is running MacOS10.12 (Sierra), both iMacs are running MacOS10.14 (Mojave). Both iMacs are running 10.14.6.
The remote network is also sitting behind a NATted router, using 192.168.178.* as its address range. It has a FritzBox 7272 as its gateway. The remote network is also running the Synology DiskStation 1517+ which provides VPN services, as well as file sharing via SMB and AFP, and DNS resolution. The DS1517+ is running on the latest version of the DSM software (6.2.3-25426 Update 2) has a local address of 192.168.178.101.
All VPN connections mentioned in here are established using L2TP/IPSec.
Desired Behaviour
People on the local network connect to the VPN and are able to mount the services shared by the NAS via SMB. I would like to be able to connect to the NAS and manage it remotely using its web interface.
Existing Behaviour
I am able to obtain the desired behaviour when connecting from the local network to the VPN at the remote network from two machines (the latop and one iMac) but not from the other machine (the other iMac). All machines have identical configuration settings for the VPN network connector via MacOS.
On the laptop and the “working” iMac: I am able to get a VPN connection up and going, and mount the remote volumes using SMB (via the Finder on the local Mac). I can also successfully ping and traceroute to 192.168.178.101. I can successfully connect to the NAS management console.
On the “non-working” iMac: I am able to get a VPN connection up and going. I can see the connections on the VPN Server Connections List. I am unable to mount the volumes using SMB or AFP via the Finder. I cannot ping or traceroute to 192.168.178.101 (pings time out, traceroute also eventually times out). Connecting via https to the management console failed as the browser could not find that server (sometimes is unable to establish a secure connection to the server, and yes, I’m using https and connecting to the correct port).
The only clue I have is that coming up on the non-working iMac is an odd error message when ping fails: “Communication prohibited by filter” (for clarity, I have successfully connected to the VPN before issuing this command):
$ ping 192.168.178.101
PING 192.168.178.101 (192.168.178.101): 56 data bytes
36 bytes from 10.20.22.66: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 a54f 0 0000 3e 01 a229 192.168.1.122 192.168.178.101
Request timeout for icmp_seq 0
36 bytes from 10.20.22.66: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 8e07 0 0000 3e 01 b971 192.168.1.122 192.168.178.101
^C
Compare and contrast with the same command on the “working” iMac when connected to the VPN:
$ ping 192.168.178.101
PING 192.168.178.101 (192.168.178.101): 56 data bytes
64 bytes from 192.168.178.101: icmp_seq=0 ttl=64 time=17.359 ms
64 bytes from 192.168.178.101: icmp_seq=1 ttl=64 time=28.423 ms
64 bytes from 192.168.178.101: icmp_seq=2 ttl=64 time=33.618 ms
^C
Again, for completeness, the VPN is issuing IP addresses in the 10.2.0.x range for VPN connections; in this case the “non-working” iMac is 10.2.0.1 and the "working iMac is 10.2.0.2.
Other Information
The issues occur whether there are multiple VPN connections or it is the only one. I have restarted both the DS and the iMac with no luck. The VPN connections are using the same user to connect (so not a user privileges issue).
These three machines are all connecting via the same route (albeit latop is using WiFi and the two iMacs are cabled). I’ve even tried swapping the ethernet cables around and I’ve tried connecting the “non-working” iMac via WiFi to see if that makes a difference (and you know you’re running out of ideas when you start to do weird stuff like that).
The local network and the remote network are serviced through the same ISP.
The entire purpose of this is that I’m expecting more COVID related lockdowns in our jurisdiction in the coming days, and my wife will have to start working remotely (she runs her own business, but may be required to work from home if possible. I’d like to make it possible).
As I said, it’s doing my head in! We’ve got two nominally identical machines, behind the same network infrastructure; one can connect properly and the other one cannot. (I say nominally, as clearly there is a difference somewhere 
) Has anyone got any ideas? I hope I’ve been able to provide sufficient information; if not, please let me know and I’ll supply any further requested info.
Thanks,
Paul